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1.  Introduction 

In  their  groundbreaking  paper,  Diffic  and  Hellman[3]  proposed  the  first  public- 
key  operation,  now  known  as  the  Diffie-Hellman  key  agreement  protocol.  Over 
three  decades  later,  this  protocol  remains  crucially  important,  a  component  of  a 
great  many  cryptographic  protocols. 

In  this  paper  we  compare  several  models  that  capture  the  Diffie-Hellman  pro¬ 
tocol,  with  the  aim  of  identifying  a  model  that  is  both  well-suited  for  automated 
protocol  analysis  and  that  has  a  strong,  well-justified  link  to  the  model  typically 
adopted  in  the  computational  complexity  community.  The  core  goal  of  any  such 
model  is  to  express  the  concept  of  deriv ability:  values  that  can  be  produced  by 
the  model  attacker.  We  start  with  the  computational  complexity  view  of  a  non- 
uniform  adversary,  in  which  derivability  is  defined  by  what  can  be  computed  with 
non-negligible  probability  by  a  polynomially  bounded  non-uniform  family  of  cir¬ 
cuits. 

We  make  two  changes  to  this  model:  we  replace  computability  with  a  Dolev- 
Yao  style  adversary,  and  we  use  non-standard  analysis  techniques  to  reduce  the 
parametrized  asymptotic  setting  to  a  simpler,  singular  one.  The  use  of  non-standard 
analysis  helps  justify  our  use  of  a  hyperfinite  field  of  exponents. 

Unfortunately,  the  formal  model  that  results  is  not  usable  for  automated  analysis. 
First,  as  shown  by  Dougherty  and  Guttman[4],  it  is  not  a  well-behaved  message 
algebra.  Worse,  any  reasonable  attempt  at  emulating  this  formal  model  with  an 
algebra  would  be  problematic  because  the  exponents  would  form  a  ring  structure, 
and  unification,  a  key  technique  in  automated  exploratory  protocol  analysis,  is  not 
known  to  be  decidable  for  rings.  Thus,  we  restrict  our  formal  model  to  a  weaker 
one  which  does  not  capture  exponent  addition  or  group  multiplication. 

This  would  seem  to  be  a  problematic  model:  it  seems  to  deny  the  adversary  some 
abilities  that  computability  clearly  includes,  such  as  the  ability  to  add  exponents 
and  multiply  bases.  Thus,  it  is  open  for  criticism  on  the  basis  that  it  captures 
a  smaller  range  of  adversarial  behavior  than  the  previous  model.  We  show  that 
while  this  smaller  model  is  less  expressive  and  thus  can  be  used  to  describe  a 
smaller  range  of  derivability  statements,  all  derivability  statements  describable  in 
the  smaller  model  that  are  true  in  the  larger  model  are  true  in  the  smaller  model. 
In  other  words,  the  criticism  is  not  well-justified:  the  only  loss  in  using  this  smaller 
model  is  in  restricting  the  type  of  statements  it  can  describe.  And  since  this  smaller 
model  is  still  capable  of  expressing  the  Diffie-Hellman  protocol  itself,  it  is  of  interest. 

1.1.  Our  results.  Figure  1  gives  a  diagram  describing  the  various  models  we  dis¬ 
cuss  in  this  paper.  A  is  the  purely  computational  model,  discussed  in  Section  2. 
In  Section  3,  we  give  an  introduction  to  non-standard  analysis.  In  Section  4,  we 
discuss  the  model  B  obtained  by  applying  a  non-standard  analysis  “limit”  to  the 
computational  model.  In  Section  5  we  discuss  the  process  of  formalizing  our  mod¬ 
els.  C  is  obtained  via  a  minimal  and  natural  formalization  of  the  computational 
model,  while  D  is  obtained  from  C  by  applying  a  non-standard  limit  to  C .  How¬ 
ever,  D  can  also  be  constructed  in  a  simpler  way  by  a  more  radical  formalization 
of  B.  In  Section  5  we  prove  one  of  our  two  main  results:  that  these  two  models 
are  equivalent,  so  the  simpler  version  of  D  may  be  regarded  as  the  result  of  a  min¬ 
imal  formalization  of  the  computational  model.  In  Sections  6  and  7  we  prove  the 
main  technical  lemmas  supporting  this  result.  Finally,  in  Section  8  we  discuss  the 


3 


Figure  1.  Relationships  among  various  Diffie-Hellman  models 
we  discuss. 


restriction  of  the  resulting  model  to  our  Diffie-Hellman  algebra  and  prove  our  other 
main  result:  a  conservative  extension  relationship  between  the  restricted  and  full 
Diffie-Hellman  models. 


2.  Diffie-Hellman 

The  Diffie-Hellman  protocol  is  described  in  a  finite  group  G  of  prime  order 
Ord(G)  =  p,  along  with  a  generator  g.  It  is  believed  that  in  such  groups  the 
“discrete  logarithm  problem”  of  finding  a  random  x  given  ( G,g,gx )  is  hard.  It  is 
further  believed  that  if  x  and  y  are  random,  it  is  hard  to  find  gxy  given  (G,  g ,  gx ,  gv)\ 
this  is  called  the  computational  Diffie-Hellman  problem. 

The  hardness  of  these  computational  problems  is  the  basis  of  Diffie-Hellman 
key  exchange  and  many  other  cryptographic  techniques.  There  are  certain  aspects 
of  the  standard  computational  model  in  which  statements  of  the  tractibility  or  in- 
tractibility  of  such  problems  are  stated  that  need  to  be  reviewed  here.  In  particular, 
it  is  important  to  state  the  computational  hardness  of  such  problems  in  a  way  that 
seems  realistic. 

First  of  all,  such  statements  are  asymptotic  ones.  These  problems  may  be  solved 
via  brute  force  if  the  prime  order  p  is  small  enough.  Thus,  any  asymptotic  definition 
will  necessarily  include  an  infinite  family  of  p ,  G,  and  g.  However,  one  attractive 
feature  of  discrete  logarithm-based  crytography  is  that  no  “trap-door”  is  thought  to 
exist  making  the  discrete  logarithm  problem  or  the  computational  Diffie-Hellman 
problem  easy  under  a  given  set  of  parameters.  Thus,  the  same  parameters  can  be 
used  by  everyone. 

Second,  hardness  is  meant  to  be  as  close  as  possible  to  impossibility,  but  we  must 
recognize  that  randomized  algorithms  will  always  be  able  to  have  a  tiny  chance  of 
success,  for  instance,  by  guessing  the  right  answer  at  random.  Thus,  the  standard 
computational  model  concerns  problems  that  can  be  solved  with  non-negligible 
probability. 

2.1.  Preliminaries  and  notation.  The  expression  Pr[i>i  ■<—  Ai\...;vn  An  : 
P(v i, . . . ,  i>„)]  refers  to  the  probability  that  P(v i, . . . ,  v„ )  holds  given  assignment 
of  each  of  V\  through  vn  based  on  probability  distributions  A\, . ..  ,An.  When  a 
finite  set  is  given  in  place  of  a  probability  distribution,  the  uniform  distribution  on 
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that  set  is  implied.  When  an  algorithm  is  in  place  of  a  probability  distribution,  it 
is  implied  that  a  run  of  that  algorithm  is  performed,  with  uniform  randomness  if 
the  algorithm  is  randomized. 

A  rational  expression  with  integer  coefficients  is  an  element  of  the  field  of  quo¬ 
tients  of  the  polynomial  ring  Z[xi, . . . ,  xn\.  We  denote  it  by  Z(x\, . . .  ,xn).  A 
monomial  is  an  expression  of  the  form  M  ( x )  =  xa  =  x where  neN  and 
a,:  £  Z.  We  associate  to  the  monomial  M  the  function  (which  by  abuse  of  language 
we  also  denote  by  M)  a  i-P  a"1  •  •  •  defined  whenever  all  oq  ^  0. 

We  use  a  bar  to  indicate  a  sequence  of  values.  Thus,  we  may  describe  a  particular 
rational  expression  as  R(x),  which  leaves  ambiguous  the  value  of  n  such  that  R  £ 
Z(aq, . . . ,  xn).  If  R  is  a  sequence  of  rational  expressions  R  =  i?i, . . . ,  Rn,  we  can 
use  R(x)  to  refer  to  (R1(x), . . . ,  Rn(x ))  and  gR(xl  to  refer  to  (gRRx\  . . . ,  gRAx)f 
Let  (Rq,R\)  be  a  pair  of  sequences  of  rational  expressions  each  on  the  same 
number  of  inputs.  Whenever  we  have  a  space  of  base  values  B  along  with  an 
exponentiation  operation  B  x  Z  — >  B,  and  a  distinguished  base  g ,  we  can  define 
R  :  Zk  — ►  Bm  x  Zn  by  R(x)  =  (gR°(x\  Ri(x)).  We  call  such  a  pair  (R0lRi)  an 
information  function. 

Systems  of  exponent  environments.  Let  G  be  a  cyclic  group  of  prime  order 
p.  Since  G  is  of  prime  order,  every  g  £  G  such  that  j  /  1g  is  a  generator  for 
G.  In  particular,  exponentiation  is  a  mapping  G  x  Z  — »  G.  However,  since  gk 
depends  only  on  the  equivalence  class  of  k  modulo  p ,  we  can  view  exponentiation 
as  a  mapping  GxZ/(p)  — ►  G.  We  thus  view  the  set  of  exponents  as  a  field.  Suppose 
Gk  is  a  sequence  of  such  cyclic  groups  where  each  Gk  is  of  prime  order  pk ,  such 
that  pk  —■ ►  oo.  Assume  that  gk  is  a  sequence  of  generators  for  each  Gk- 

Definition  2.1.  A  sequence  S  =  {(Gk,  gk,Pk)  '■  k  €  N}  is  an  admissible  system  of 
exponentiation  environments  if  Gk  is  a  cyclic  group  of  prime  order  pk ,  where  gk  is 
a  generator,  and  there  are  constants  0  <  c  <  C  <  oo  such  that  c  2fc  <  pk  <  C  2fc. 

Remark  2.2.  It  is  clear  that  the  exponential  growth  assumption  on  pk  is  equivalent 
to  the  inequality 

(1)  a  log  pk  —  b  <  k  <  A  log  pk  -  B 

for  some  positive  constants  a,  b,  A ,  B. 

In  this  paper  we  are  concerned  with  whether  certain  values  can  be  derived  from 
certain  other  values.  We  restrict  to  a  class  of  such  problems  in  which  the  information 
provided  and  the  values  to  be  derived  are  both  based  on  rational  expressions  in  the 
exponent. 

Definition  2.3.  Given  an  admissible  system  S  of  exponentiation  environments, 
a  derivation  problem  for  S  is  a  pair  of  information  functions  ((ao,ai),(po,Bi))i 
representing  the  problem  of  deriving  R(/3)  from  R(a). 

Example  2.4.  The  discrete  logarithm  problem  has  a0(x)  =  x,  ffi(x)  =  x,  and  oq 
and  /3q  empty  sequences.  Thus,  a(x)  =  gx  and  fi(x)  =  x. 

Example  2.5.  The  computational  Diffie-Hellman  problem  has  a$(xi,  X2)  =  (x\,X2) 
and  ^0(^11  ^2)  =  aq;E2,  and  aq  and  p\  both  empty  sequences.  Thus,  a(xi,X2)  = 
(gx\gX2)  and  p(x\,X2)  =  gXlX2. 
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2.2.  Computational  model  of  derivability.  In  order  to  define  the  computa¬ 
tional  view  of  when  a  derivation  problem  is  solvable,  we  must  introduce  two  con¬ 
cepts:  the  notion  of  a  polynomially  bounded  non-uniform  randomized  circuit  family, 
and  the  notion  of  a  negligible  function.  Roughly,  a  circuit  is  a  composition  of  a 
finite  number  of  NAND  gates.  The  size  of  a  circuit  is  the  number  of  NAND  gates. 
Each  circuit  is  the  implementation  of  a  unique  function  {0, 1}*  — >  {0, 1};  .  C  denotes 
the  class  of  circuits. 

A  set  {Ak\k  £  N}  of  circuits  is  a  non-uniform  circuit  family.  Let  A fC  be  the  set 
of  non-uniform  circuit  families. 

A  non-uniform  circuit  family  {Aj,}  is  polynomially  bounded  if  there  exists  a 
polynomial  p(k)  such  that  for  all  k,  \  Aj-  \  <  p{k).  Let  VMC  be  the  set  of  polynomially 
bounded  non-uniform  circuit  families. 

We  may  think  of  circuits  as  randomized  in  the  sense  that  some  inputs  may 
be  preserved  for  random  bits.  Computation  by  randomized  polynomially-bounded 
non-uniform  circuit  families  is  the  most  general  standard  notion  for  security  of 
discrete  logarithm-based  cryptographic  schemes.  [2]  The  non-uniform  stipulation  is 
important  to  model  security  where  parameters  are  reused  as  they  often  are  for 
Diffie-Hellman.  This  scenario  is  a  bit  more  complex  than  the  more  typical  case 
of  computation  by  a  probabilistic  polynomial-time  Turing  machine,  because  that 
amounts  to  a  uniform  family  of  circuits  rather  than  a  non-uniform  one. 

Negligible  functions.  A  function  /  :  N  — >  R.  is  negligible  if  and  only  if  for 
every  positive  n  there  is  a  positive  constant  C  such  that  |/(fc)|  <  Ck~n.  This  is 
equivalent  to  the  form  preferred  in  the  cryptography  literature: 

(2)  Vn  G  N  3k0  Vfc  >  k0  \.f(k)\  <  k~n 

Condition  (2)  clearly  implies  negligibility.  Conversely,  if  /  is  negligible,  for  positive 
n  there  is  a  C  such  that  |/(fc)|  <  Cfc-(n+1)  for  all  k.  Let  fco  be  such  that  C/cq  1  <  1. 
Then  \f(k)\  <  k~n.  Contrapositively,  a  function  is  /  non-negligible  if  and  only  if 
there  are  n  and  infinitely  many  k  such  that  |/(fc)|  >  k~n . 

It  is  essential  to  consider  the  non-uniform  case  to  capture  the  assumption  that 
there  do  not  exist  trapdoors  for  the  common  parameters. 

Definition  2.6.  A  derivation  problem  (a,  (3)  is  solvable  if: 


3{Afc}  €  VMC  :  Pr[a;  <—  (Z/(pk))n',v  Ak(a(x))  :  v  =  f3(x)\  is  non-negligible. 

This  notion  of  solvable  gives  us  a  natural  corresponding  notion  of  “hard” :  namely, 
a  derivability  problem  is  hard  if  it  is  not  solvable. 

3.  Review  of  Non-standard  Analysis 

Our  reference  for  non-standard  analysis  is  [1].  The  main  constituents  of  non¬ 
standard  analysis  are  a  pair  of  universes  IS  and  °  13  and  an  operator  *  :  13  — >  °  13 
called  an  enlargement  operator.  The  transfer  principle  is  the  fact  that  the  operator  * 
preserves  the  validity  of  first  order  formulas.  Mathematical  terms  such  as  function, 
cardinality,  finiteness,  field  can  be  carried  over  to  °  13  and  the  enlargement  operator 
preserves  their  basic  properties.  We  will  refer  to  13  as  the  standard  universe  and 
°  13  as  the  non-standard  universe.  The  transfer  principle  is  stated  as  follows: 
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13 

°  13 

13 

°  13 

£ 

£ 

N 

*N 

C 

C 

M 

*M 

u 

u 

E 

*E 

(;■) 

(•>•) 

n 

•n 

V 

• V 

function 

function 

card 

•card 

finite 

•finite 

Table  1.  Translation  Table  for  Relations,  Operators  and  Predicates 


3.1  (Transfer).  If  &(xi, . . . ,  xn)  is  a  formula  with  bounded  quantification  whose  free 
variables  are  among  aq, . . . ,  xn,  then  for  ai, . . . ,  an  £  13,  <f>(ai, . . . ,  an)  is  valid  in  15 
if  and  only  if  $(*ai, . . . ,  *an)  is  valid  in  °  15. 

By  formula  we  mean  first  order  formula  with  the  predicate  symbols  “£”  and 
“=”  and  some  constants  such  as  1  and  N.  The  restriction  to  bounded  formulas  is 
not  strictly  necessary,  but  it  allows  us  to  assume  that  the  model  °  13  interprets  the 
membership  operator  as  £.  The  reference  [1]  follows  this  approach  while  [6]  allows 
for  unrestricted  quantifiers. 

We  could  build  a  correspondence  table  between  symbols  in  the  standard  universe 
and  symbols  in  the  non-standard  one.  To  each  construct  (predicate,  operator, 
relation)  C  in  the  standard  universe  corresponds  a  construct  *C  in  the  non-standard 
universe.  The  table  would  look  something  like  the  table  in  Figure  1.  The  notations 
that  are  used  in  practice  differ  from  those  in  this  list.  For  example,  for  the  predicates 
•finite,  ‘integer,  ’real  we  use  hyperfinite,  hyperinteger,  hyperreal  respectively,  A 
partial  mapping  ip  :  °  13  — >  °  IS  is  internal  if  there  is  an  /  £  °  13  satisfying  the 
function  predicate  such  that  ip  (a )  is  defined  if  and  only  if  a  £  *dom /  and  for  such 
values  of  a,  <p(a)  =  /(a).  Otherwise,  the  mapping  is  said  to  be  external.  A  set 
is  internal  (respectively  external)  if  and  only  if  its  indicator  function  is  internal 
(respectively  external). 

Elements  r  of  the  field  C  of  complex  numbers  are  identified  with  *r.  Thus 
C  is  viewed  as  a  subfield  of  *C.  An  element  u  £  °13  is  standard  if  and  only  if 
u  =  *x  for  some  x  £  13.  Thus  *N  and  *K  are  standard  sets  even  though  they 
have  non-standard  elements.  We  denote  the  formula  “x  is  standard”  by  st(x).  We 
use  the  notation  Vsta;d>(a:)  and  3stx$(a’)  which  are  abbreviations  for  the  formulas 
Vx  [st(cc)  =>  $(x)]  and  3x  [st(x)  A  $(®)]  respectively.  More  generally,  if  is 
a  first  order  formula,  $st  is  the  formula  where  all  quantifications  of  the  form  \/x 
and  3x  are  replaced  with  quantifications  Vsta;  and  3sta:  respectively.  The  transfer 
principle  then  takes  the  form: 

3.2.  If  d>(a;i, . . . ,  xn)  is  a  bounded  formula  whose  free  variables  are  among  x\, . . . ,  xn, 
then  for  all  standard  ai, ...  ,an  £  °  15, 

$st(ai,...,a„)  cf>(a1, . . . ,  an). 

Non-Standard  analysis  uses  in  an  essential  way  non-standard  integers.  The  fol¬ 
lowing  principle  guarantees  their  existence: 
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3.3  (Countable  Saturation).  If  {An  :  n  G  N}  is  a  sequence  of  internal  sets  in  °U 
such  that  for  all  n  G  N  A1  (~l  A2  D  •  •  •  (~l  An  is  non-empty,  then  there  is  an  internal 
element  a  such  that  a  G  An  for  all  n  G  N. 

Proposition  3.4.  *N  \  N  is  non-empty. 

Proof.  For  finite  subsets  of  IS  we  have  *{ai, . . . ,  a„}  =  {*ai, . . . ,  *a„}.  Now  N  \ 
{1, . . . ,  n}  is  non-empty.  Therefore  for  all  n  G  N, 

A„  =  *N\{l,...,n}^0 

and  thus  there  is  an  a  €  A^.  Such  an  a  is  distinct  from  all  fcgN.  □ 

Countable  saturation  also  implies: 

Proposition  3.5.  N  is  an  external  subset  of*  N. 

Proof.  Suppose  N  is  internal.  Then  Bn  =  N  \  {1, . . . ,  n}  is  non-empty  and  internal. 
Thus  there  is  an  m  &  f]k  Bk,  that  is  to  €  N  such  that  m  >  k  for  all  k  G  N  which  is 
absurd.  □ 

Corollary  3.6.  Suppose  A  is  an  internal  set  such  that  N  C  A.  Then  there  exists 
M  G  (*N \N)nA 

Stated  another  way: 

Corollary  3.7.  7/<f>(n)  is  a  formula  which  holds  for  all  standard  integers  n  then 
it  holds  for  at  least  one  unbounded  integer. 

Proposition  3.8.  For  any  sequence  {a„}n6N  of  elements  of°l5  such  that  an  G  A, 
there  is  an  internal  sequence  {a^jne^N  which  extends  the  original  sequence,  that  is 
a'n  =  an  for  all  n  G  N. 

Proof.  For  each  n  G  N,  let  An  be  the  set  of  sequences  {bfc}fc<=*N  which  coincide  with 
{afc}fcgN  in  the  interval  {1,2,...,  n}.  For  all  n  G  N,  An  is  non-empty  since  we  can 
exhibit  an  element  b  G  An  as  follows: 


bk  = 


Ok  if  k  <  n 
0  otherwise 


The  sequence  is  internal,  since  it  is  defined  by  an  internal  formula.  By  countable 
saturation,  there  is  an  internal  a  that  is  an  element  of  all  the  sets  An.  □ 

Definition  3.9.  An  r  G  *K  is  infinitesimal  if  and  only  if  for  every  n  G  N,  |r|  <  n-1. 

Proposition  3.10.  There  are  infinitesimal  real  numbers. 

x  is  infinitesimal  is  written  as  x  ~  0. 

Proof.  For  n  G  N,  let  An  =  {r  G  *K  :  0  <  r  <  1/n}.  An  is  non-empty  and  this  by 
countable  saturation,  An  is  non-empty.  □ 

Definition  3.11.  A  positive  hyperreal  r  is  infinite ,  written  as  x  ~  oo,  if  and  only 
if  n  G  N,  r  >  n. 

We  use  the  notation  r  0  to  indicate  r  is  not  infinitesimal  and  r  <  oo  to 
indicate  r  is  not  infinite. 
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4.  Non-standard  view  of  computational  derivability 

A  critical  feature  of  a  good  model  for  tool-based  protocol  analysis  is  to  focus 
on  a  single  setting  for  computations.  The  computational  model  for  exponentiation 
environments  breaks  this  feature  because  of  its  use  of  the  security  parameter  k.  Our 
approach  to  resolving  this  tension  is  to  use  non-standard  analysis  to  narrow  our 
focus  to  a  single  k  that  can  be  used  to  express  all  the  key  properties.  In  particular, 
k  will  be  greater  than  any  finite  number. 

In  this  section,  we  show  how  to  simplify  the  computational  model  in  this  way. 
First,  we  discuss  the  exponentiation  environment  we  obtain  when  we  consider  an 
admissible  system  at  an  infinite  k.  Then,  we  tackle  the  more  complicated  problem 
of  how  to  express  the  mechanisms  around  the  exponentiation  environment:  families 
of  non-uniform  circuits,  probabilities,  and  negligible  functions. 

4.1.  Infinite-index  admissible  systems. 

Remark  4.1  (Notation).  Given  any  standard  sequence  S  =  {S'fcjfceN  ,  denotes 
the  family  indexed  by  *N  obtained  by  applying  the  transfer  operator  to  S.  The 
family  *S  can  be  viewed  as  extension  of  S.  By  overloading  of  notation,  we  denote 
each  term  of  the  family  *S  by  S 

Now  let  S  =  {(Gj,gj,pj)  :  j  £  N)  be  an  admissible  system  of  groups  and 
generators;  *S  is  a  family  indexed  on  *N  which  extends  S.  By  transfer,  for  each 
k  £  *N,  Gk  is  a  cyclic  group,  generated  by  gk ,  of  prime  order  pk .  In  particular, 
exponentiation  is  defined  as  a  mapping  Gk  x  h/(pk)  — »  Gk-  Now  let  k  ~  oo.  Then 
Pk  —  oo  due  to  growth  requirements  on  the  sequence  {pk}k  in  Definition  2.1.  The 
internal  characteristic  of  this  field  is  pk  —  oo. 

4.2.  Non-standard  mechanisms.  In  this  section,  we  tackle  the  more  complicated 
problem  of  how  to  express  the  mechanisms  around  the  exponentiation  environment. 
First,  we  discuss  non-negligible  functions. 

4.2.1.  Non-standard  view  of  negligibility.  First,  we  prove  the  following  proposition. 

Proposition  4.2.  A  necessary  and  sufficient  condition  a  (standard)  function  f  on 
N  be  negligible  is  that  for  all  standard  n  and  k  ~  oo,  |*/(fc)|  <  k~n . 

Proof.  For  necessity,  suppose  /  is  negligible  and  n  is  standard.  By  the  definition  of 
negligible 

3st£  Vstfc  >  £  |*/(fc) I  <  k~n 

is  valid.  Applying  transfer,  which  is  legitimate  since  it  is  applied  to  the  innermost 
quantifier 

3st£  \/k  >  £  |*/(fc)|  <  k~n 
In  particular,  if  k  ~  oo,  |*/(fc)|  <  k~n  as  claimed. 

The  proof  of  sufficiency  relies  on  a  common  technique  involving  overspill  and 
transfer.  Suppose  that  for  all  k  ~  oo  and  all  standard  n,  |*/(fe)|  <  k~n .  In 
particular, 

Vt~oo  \/k>£  \'f{k)\  >  k~n 

and  thus  by  overspill, 

3st£\/k>£\'f(k)\>k~n 


By  transfer 


3st£  Vstfc  >  £  r/(fc) I  >  k~n 
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which  is  the  claim  /  is  negligible. 


□ 


4.2.2.  Non-standard  view  of  probability.  Let  X  =  {ATfe};^  be  a  sequence  of  finite 
sets.  A  sequence  of  subsets  A\-  C  X is  negligible  if  and  only  if  Pr k(Ak)  is  negligible 
as  a  function  of  k,  where  Pi>  is  the  uniform  probability  measure  on  X^. 

We  will  consider  any  hyperfinite  set  X  as  a  space  equipped  with  the  probability 
measure 


(3) 


Pr(A) 


* card  A 
•card  X 


Proposition  4.3.  Let  {AA-jfcgN  be  a  sequence  of  finite  sets.  A  necessary  and  suffi¬ 
cient  condition  a  sequence  {Ak}k  of  subsets  be  negligible  is  that  for  every  standard 
m  and  k  ~  oo 


(4) 


Pr (Ak)  <  k~m 


Proof.  The  proof  of  this  follows  the  same  lines  as  the  proof  of  Proposition  4.2.  □ 


Definition  4.4.  Let  K  ~  oo.  A  hyperreal  9  is  AT-negligiblc  if  and  only  if  for  all 
standard  m,  \6\  <  K~m.  A  hyperreal  9  is  of  order  K  if  and  only  if  there  is  a 
standard  to,  such  that  \9\  <  K~m. 

Remark  4.5.  Any  AT-negligible  number  9  is  infinitesimal,  since  9  <  K -1  and  A"-1 
is  already  infinitesimal.  The  converse  is  false,  since  K^1  is  infinitesimal  but  not 
negligible.  We  introduce  this  stronger  concept  motivated  by  Proposition  4.3  and 
the  transfer  principle  to  translate  the  property  of  negligible  sequence  into  a  “limit” 
property  of  a  single  hyperfinite  set. 


Note  that  negligible  is  defined  relative  to  a  scale  parameter  K. 

In  the  statement  of  Proposition  4.3  there  is  no  relation  assumed  between  the 
cardinality  of  X f  and  k.  If  we  assume  Xk  has  an  exponential  growth,  that  is  for 
some  constants  0  <  c  <  C  <  oo  and  all  k , 

card  Xk  .  ,, 

c  <  — -  <  C 

2k 

then  we  can  rewrite  (4)  as  for  all  k  ~  oo,  Pi-fc(Afc)  is  log  ‘card  Ak  negligible. 


4.2.3.  Non-standard  view  of  computational  derivability.  Last,  we  explore  the  idea 
of  infinite  indices  in  polynomially  bounded  non-uniform  circuit  families.  This  is 
done  by  applying  the  transfer  operator  to  everything  in  sight.  In  keeping  with  our 
notation,  we  use  *C  to  denote  the  class  of  circuits  in  the  universe  °  U,  *|  •  |  denotes 
the  size  function. 

If  A  =  {Ak\  £  VJ\fC  is  a  standard  polynomially  bounded  non-uniform  circuit 
family,  by  transfer  we  simply  think  of  Ak  as  being  of  size  <  p{k)  even  when  k  ~  oo. 
Using  non-standard  analysis,  we  can  restate  the  condition  with  a  single  infinite 
index. 

In  the  following  denotes  the  set  of  primes. 

Proposition  4.6.  A  derivation  problem  (a,  f3)  is  solvable  if  and  only  if  for  some 
k  ~  oo,  there  is  a  p  £  such  that  0  <C  p/ 2k  <C  oo  and  an  A  £  *C  such  that  for 
some  standard  m,  |A|  <  km  and 

(5)  Pr[i  <—  (Z/(p));i>  A(a(x))  :  v  =  f3{x)}] 

is  not  k-negligible. 
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Proof.  If  the  derivation  problem  is  solvable  in  the  sense  of  Definition  2.6,  then 
overspill  implies  the  stated  condition.  Conversely,  if  the  stated  condition  holds, 
there  are  k  ~  oo,  standard  constants  0  <  c  <  C  <  oo  such  that  c  <  p/2k  <  C,  a 
standard  positive  integer  m  and  a  circuit  A  such  that  p(A)  <  km 

(6)  Pr[x  «—  (Z/ (p));  v  G-  A(a(x))  :  v  =  >  k~m 


Therefore  the  following  formula  with  standard  parameters  a,  (3,  c,  C  is  valid  in  °  15: 


(7) 


VSV,  3k  >£,  3p  G  ,$p,  3A  G  'PAfC, 
c  <  p/2k  <  C 
and 


Pr[:r  G-  (Z/(p));  v  G-  A(a(x))  :  v  =  /3(x)}]  >  k  m 
By  transfer,  we  obtain  the  following  completely  standard  formula. 
W  G  N,  3k  >£,  3p  g  qj,  3A  G  VAfC, 
c  <  p/2k  <  C 

/n\  —  ^ '  — 


Pr[a;  G-  (Z /(p));v  A(a(x))  :  n  =  /3(ai) }]  >km 

This  is  precisely  the  condition  for  solvability. 


□ 


Note  that  since  Proposition  4.6  refers  only  to  a  single  infinite  k,  and  since  the 
properties  observed  in  subsection  4.1  apply  to  any  infinite  k,  this  allows  us  to  view 
the  environment  in  the  simple  way  we  described  at  the  beginning  of  this  section: 
as  a  single  environment,  with  no  overly  specific  properties. 


5.  Formalized  environments 

The  main  aim  of  this  paper  is  to  obtain  a  formalized  environment  in  which  we  can 
express  DifHe-Hcllman  operations.  We  have  thus  far  discussed  only  computational 
environments  of  this  kind.  For  the  purposes  of  automated  analysis,  we  must  make 
a  Dolev-Yao  style  assumption  on  our  environment,  which  would  replace  arbitrary 
adversary  behavior  with  a  more  restricted  set  of  such  behavior  based  on  expected 
derivations.  Clearly,  we  will  want  to  set  our  computation  in  Gk  for  an  infinite  fc; 
for  simplicity  we  refer  to  such  a  group  as  G. 

Now,  we  will  certainly  want  to  represent  the  field  of  exponents  E  =  Z /(p).  We 
would  represent  each  independently  chosen  random  value  in  E  as  a  variable,  and 
consider  an  adversary  capable  of  exponentiation,  field  operations  within  E,  and 
group  operations  in  G,  based  on  knowing  g  as  well  as  whatever  input  information 
is  available. 

Certainly,  formal  derivability  of  /3  from  a  would  be  a  well-defined  alternative  to 
the  notion  of  derivation  problem  solvability.  We  seek  a  stronger  justification  of  our 
choice  of  formalization,  namely,  that  formalizing  transforms  solvability  into  formal 
derivability.  The  rest  of  the  section  deals  with  this  aspect  of  formalization. 

In  Figure  1,  we  give  a  schematic  of  the  models  under  discussion.  If  we  were  to 
approach  D  only  through  B,  we  gain  little  evidence  that  our  choice  of  formalization 
is  justified,  but  since  B  is  fairly  simple,  we  do  get  a  good  model  to  justify.  We 
then  aim  to  justify  this  choice  of  formalization  by  attempting  the  same  kind  of 
formalization  on  the  regular  computational  model  A ,  obtaining  C ,  and  only  then 
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generalizing  to  infinite  index.  The  main  result  of  this  section  is  that  this  alternate 
approach  leads  to  the  same  notion  of  derivability. 


5.1.  Formalizing  the  computational  model.  Here,  we  must  make  a  decision 
about  how  to  properly  translate  the  notion  of  derivation  by  a  family  of  circuits  to  a 
formal  one.  We  describe  the  formal  derivation  environment  for  each  exponentiation 
environment  in  an  admissible  system  of  groups  and  generators  S  =  {(Gj,  gj,Pj)  : 
j  £  N}  as  defined  in  §4.1.  Essentially,  a  derivation  is  a  rational  expression  on 
exponents  or  exponents  and  bases.  Rather  than  a  polynomial  bound  on  the  circuit 
family,  we  require  that  the  rational  expressions  involved  are  of  log-sublinear  degree: 
in  other  words,  the  expressions  are  of  degree  significantly  less  than  p.  A  function 
/  :  R  — >  R  is  log-sublinear  if  and  only  if  for  every  k  £  N, 


(9) 


lim  — 

r— >oo  r 


f  0) 

(log  r ) 


-k 


=  0. 


For  example,  any  function  such  that  /(r)  =  0(r1_e)  for  positive  e  is  log-sublinear. 
This  is  a  very  conservative  restriction,  because  the  expressions  can  still  grow  expo¬ 
nentially  in  k. 


5.2.  Base  and  Exponent  Schema.  For  the  DifHe-Hellman  protocol,  expressions 
are  of  two  kinds:  a  set  U  of  “bases”  and  8  of  “exponents” .  The  derivation  process 
is  given  as  closure  rules  for  the  sets  U  CU  and  E  C  8  known  to  the  adversary: 

(1)  If  u,v  £  U  then  u  -  v  £  U. 

(2)  If  R( x)  £  Z(xi, . . . ,  xn)  is  a  rational  expression  with  integer  coefficients  and 
t  =  ti, . . . ,  tn  £  E  then  R(t)  £  E. 

(3)  If  u  £  U  and  t  £  E,  then  u 1  £  U. 

Base  and  exponent  expressions  are  intended  to  model  uniform  schemas  specific 
to  Diffie-Hellnran.  Formally,  a  base  and  exponent  schema  is  a  pair  (U,  E)  where 
U  is  a  set  of  base  variables  E  is  a  set  of  exponent  variables.  In  the  following 
u  =  (iti, . . . ,  um)  is  a  sequence  of  base  variables  and  x  =  (x\, . . . ,  xn)  is  sequence 
of  exponent  variables. 

(1)  The  set  of  exponent  expressions  8  consists  of  rational  expressions  R(x)  £ 
Z(x)  in  exponent  variables. 

(2)  The  set  of  base  expressions  consists  of  monomials 

F(u,x)=u?li*)u*2i*)---u^W 


where  u  are  base  variables  and  x  are  exponent  variables.  We  denote  the  set 
of  base  expressions  in  the  variables  u,  x  by  B(u,  x) . 

The  equality  relation  between  base  expressions  is  purely  formal: 


.Add,,*2!1) 

U1  a2 


U 


Rn(x) 

n 


—  vSl(x\,S2(x') 

—  u,2 


u 


Sn(x ) 
n 


if  and  only  if  Ri(x )  =  Si{x).  Later  we  will  provide  a  semantics  for  equality  which 
justifies  this  definition. 

A  pure  Diffie-Hellman  term  is  either  an  exponent  expression  or  a  base  expression. 
Derivability  is  characterized  by  a  set  of  closure  rules  for  the  set  U  of  base  expressions 
and  E  of  exponent  expressions  known  to  the  adversary.  The  closure  rules  are  as 
follows: 


(1)  Suppose  Ri(x), . . .  Rm(x)  £  E.  Then  for  any  rational  expression  S(y) 


S(R1(x),...Rm(x))£E. 


12 


(2)  If  ufl(~x\  u®1^,  •  ■  • ,  Umm^  G  B  and  R\{x), . . .  Rm(x)  €  E  then 

yQlWKlW  .  .  .  uQm(x)Rm(x)  g  B 

5.3.  Derivability  definitions  and  propositions.  Recall  that  our  formalized  ver¬ 
sion  of  a  non-uniform  family  of  circuits  is  a  non-uniform  family  of  rational  expres¬ 
sions. 

Definition  5.1.  Suppose  R  G  Z(aq, . . .  ,xn)  and  {S'fcjfcgN  is  a  sequence  of  elements 
of  Z(#i, . . . ,  xn).  R  ~  {S'fcjfc  if  and  only  if  there  is  a  non-negligible  function  e  such 
that  for  all  k  G  N, 

(10)  Prfc  {a  G  (Z/(pk))n  :  R(a)  =  Sfc(a)}  >  e(k) 

' - - - ' 

Ak 

Remark  5.2.  In  (10),  the  symbol  Pr*,  refers  to  the  uniform  probability  measure 
on  (Z /(pk))n-  Implicit  in  the  defining  condition  for  the  sets  Ak  is  that  both  the 
RHS  and  the  LHS  of  the  equation  within  the  braces  are  defined.  In  particular,  the 
denominators  of  both  R(a)  and  Sk(a)  must  be  non-zero  in  order  for  a  to  be  an 
element  of  Ak. 

Remark  5.3.  A  necessary  and  sufficient  condition  that  R  ~  {Sfcjfc  is  that  there 
exist  an  to  6  N  such  that 

(11)  Pi'fc  {o’  G  (Z/(pfc))n  :  R(&)  =  Sk{&)}  >  (log Pk)~m 

" - V - ' 

Ak 

for  infinitely  many  k.  This  is  a  trivial  rewrite  of  (10)  using  Remark  2.2. 

Proposition  5.4.  Suppose  Rp,Ra,Sk  G  Z(x\,...,xn)  and  Rf 3  ~  {Sk  °  Ra}k- 
If  the  degree  of  Sk  is  a  log-sublinear  function  of  pk  ( that  is  the  degrees  of  the 
numerator  and  denominator  of  Sk  are  log-sublinear  in  pk)  as  k  — >  00  then  there  is 
an  S  G  Z(#i, . . .  ,xn)  such  that  S  o  Ra  =  Rp. 

In  other  words,  when  such  an  {Sk}  family  exists  for  a  given  (a,  /3)  exponent-only 
derivability  problem,  Rp  can  be  derived  from  Ra. 

Next  we  state  the  more  general  notion  which  includes  both  base  and  exponent 
expressions  and  state  the  equivalent  proposition. 

Definition  5.5.  Suppose  u  G  Um ,  x  G  E",  F(u,  x)  G  B (u,x)  and  {Gk{u,  x)}ken 
a  seciuence  of  elements  of  B(u,x).  Then  F  ~  {Gfcjfc  if  and  only  if  there  is  a  non- 
negligible  function  £  such  that  for  all  k  G  N, 

(12)  Pi'fc{(t ,  <7 )  G  (Z /(Pk))m  x  (Z/(pfc))n  :  F(f,a)  =  Gk(f,a)}  >  e(k). 

Proposition  5.6.  Suppose  Rp,  Ra,  Sk  G  B{u,x)  and  Rp  ~  {SkoRa}k-  If  the  degree 
of  Sk  is  log-sublinear  in  k  then  there  exists  S  G  B(u,x)  such  that  Rp  =  S  o  Ra. 

Propositions  5.4  and  5.6  are  proved  in  the  next  section. 

5.4.  Generalizing  to  infinite  index.  The  formalized  version  of  the  computa¬ 
tional  model  of  derivability  is  stated  in  Definitions  5.1  and  5.5.  These  definitions 
and  the  key  results  Propositions  5.4  and  5.6  are  formulated  in  completely  stan¬ 
dard  terms.  We  apply  non-standard  analysis  techniques,  in  particular  the  transfer 
principle  to  extend  these  definitions  and  propositions  to  infinite  k.  By  applying 
the  overspill  principle  we  can  then  isolate  these  statements  to  a  single,  infinite  k. 
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This  produces  almost  the  environment  we  expect;  the  one  difference  is  that  we  get 
a  definition  of  solvable  based  on  a  non-negligible  probability  of  success  of  being 
solved  by  an  allowable  derivation,  rather  than  being  exactly  solved  by  it.  However, 
we  are  able  to  prove  that  these  amount  to  the  same  thing.  In  order  to  do  this,  we 
require  some  preliminary  concepts  that  restrict  the  size  of  algebraic  varieties  over 
finite  fields. 


5.5.  Varieties  and  Negligible  Sets.  Let  F  be  an  internal  field.  We  consider 
internal  multivariate  polynomials  P  G  F[aq, . . . ,  xn\  where  n  G  *N.  Elements 
of  F[aq, . . . ,  xn]  are  internal  functions  from  the  free  internal  Abelian  semigroup 
generated  by  aq,. ,xn  into  the  field  F.  We  also  use  the  notation  F[al]  to  denote 
the  ring  F[aq, . . . ,  xn\.  An  element  P  G  F[aq, . . . ,  xn\  defines  a  function  F”  — >  F 
which  by  abuse  of  language  we  also  denote  by  P.  Note  that  in  general  distinct 
polynomials  can  define  the  same  function. 

Now  suppose  F  is  a  hyperfinite  held  and  P  G  F[aq, . . .  ,xn\  is  a  polynomial  of 
degree  m.  The  variety  defined  by  P  is  the  set  E  C  F" 

(13)  E  =  {(aq, . . .  ,xn)  G  F”  :  P(aq, . . .  ,xn)  =  0} 


If  /  is  log-sublinear,  then  for  R  ~  oo  and  standard  hyperinteger  k, 


(14) 


•f(R) 

R{\ogR)~k 


~  0. 


An  internal  set  E  C  X  is  negligible  if  and  only  if  Pr(E)  is  negligible  relative  to 
the  scale  parameter  log  ‘card  X.  The  key  result  we  use  is  the  following: 


Proposition  5.7.  Suppose  E  C  F”  is  an  algebraic  variety  defined  by  a  non-trivial 
polynomial  P  such  that 

(15)  degP<  */(*cardF) 

where  f  is  log-sublinear.  Then  E  is  negligible. 


The  result  is  proved  in  §7. 


Remark  5.8.  Note  that  the  degree  of  P  need  not  be  standard.  Stated  contrapos- 
itively,  Proposition  5.7  states  that  if  P  defines  a  variety  which  is  non-negligible, 
then  P  is  trivial. 


Remark  5.9.  Stated  contrapositively,  Proposition  5.7  states  that  two  polynomials 
whose  degrees  are  not  too  large  (in  the  sense  of  the  inequality  (15))  and  which  agree 
on  a  non-negligible  set  are  in  fact  identical. 


6.  Derivability  in  the  Formal  Model 

Fix  a  derivability  problem  and  let  U,  E  be  the  sets  of  base  and  exponent  ex¬ 
pressions  derivable  by  the  adversary.  In  other  words,  U  and  E  consist  of  base  and 
exponent  expressions  obtained  by  composing  rational  expressions  with  the  Ra  val¬ 
ues.  We  use  the  notation  and  context  of  §4.1,  in  particular  S  =  {{Gj,gj,Pj)  ■  j  G  N} 
is  an  admissible  system  of  groups  and  generators  and  *S  is  the  extension  obtained 
by  transfer.  The  following  remark  is  crucial  in  what  follows: 

Remark  6.1.  Suppose  F  is  standard  and  F  G  mU  (respectively  F  G  mE).  Then 
F  G  U  (respectively  F  G  E).  This  is  immediate  from  the  transfer  principle. 
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The  previous  remark  is  the  basic  idea  behind  our  use  of  non-standard  analysis. 
We  first  consider  exponent  expressions: 

Proof  of  Proposition  5.f.  Since  the  set  of  {pj  :  j  €  N}  is  unbounded,  there  is  an 
M  ~  oo  such  that  pm  —  oo  and 

(16)  R(a)-SM(a)  =  0 

for  a  €  (*Z/(pm))"  on  a  non-negligible  set  Am-  Let 


(17) 


R^(x)  c  ^  S™™(x) 

R(X)  =  >  Sm{X)  = 


Sden(x ) 


Rden(x) 

so  (16)  can  be  regarded  as  the  conjunction 

(1)  Rden(a)  and  5den(tr)  are  non-zero 

(2)  Rnum(a)Sden{a)  =  Saum  (a)  Rden  (a) 

The  result  now  follows  from  Proposition  5.7  and  the  transfer  principle. 


□ 


Proof  of  Proposition  5.6.  There  is  an  M  ~  oo  such  that  Pm  —  oo  and  the  set 

{(f,d)  e  (*Z/(pM))m  X  CZ/(pM))n  :  F(t , a)  =  GM(f,a)} 

has  non-negligible  probability.  Equivalently  (f,a)  €  (*Z/(pM))m  x  ( *Z/(pM))n 
such  that 

(18)  T«.W-,TK„(»)  =  TS.<«)-,T8„(,| 
lias  non-negligible  probability,  where 

Gm(u,  x)  =  ufl{x)  •  •  • 

Choose  a  generator  p  for  Gm-  Then  (18)  can  be  expressed  as 

(19)  p&iRi  (a)-| - f  amRrn(s)  _  pOtiSi(d-)-\ - f  amSm(a) 

which  holds  for  (a,  a)  ranging  over  a  subset  Am  of  ( *Z/(pM))m  x  (*Z /(pm))u  of 
non-negligible  probability.  Therefore 

ai(i?i(d)  -  S'i(ct))  -I - f  am(Rm{a)  -  Sm(v))  =  0. 

for  (a,  a)  G  Am-  Thus  for  all  k,  1  <  k  <  m,  Rk(x)  —  Sk(x)  =  0  which  proves  the 
result.  □ 


7.  Negligibility  of  Algebraic  Varieties 

We  now  turn  to  the  main  technical  result  which  limits  the  size  of  algebraic 
varieties  defined  by  polynomials  of  log-sublinear  degree  in  the  field  size. 

Proposition  7.1.  Suppose  E  C  F™  is  an  algebraic  variety  defined  by  a  non-trivial 
polynomial  P.  Then 

(20)  *  cardie  <  n  deg  P(*carcl  F)"-1 

Proof.  Let  m  =  degP.  The  proof  is  by  induction  on  n.  P  is  of  the  form 

(21)  P{x,y)=m  V  akPk{x)yk , 

z ' k<m 

where  Pk{x)  €  F[cci, . . . ,  a;n_i]  is  a  polynomial  of  degree  at  most  to.  Now  for  each 
a  £  F"-1,  one  of  the  following  holds: 
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(1)  The  polynomial  in  one  variable  P(a,y)  is  identically  0  or  equivalently, 

Po{a)  =  Pi(a)  =  •  •  •  =  Pm(a)  =  0. 

By  the  inductive  hypothesis  there  are  at  most  (n  —  1)  x  m  x  (‘cardF)"-2 
elements  a  £  F"-1  in  this  case  and  each  one  contributes  ‘cardF  solutions 
to  P(a,  b)  =  0 

(2)  There  are  possibly  as  many  as  (‘cardF)"-1  elements  a  in  this  case,  but 
each  one  contributes  at  most  m  solutions  to  P(d,  b)  =  0  as  b  ranges  over  F. 

Altogether  therefore,  there  are  at  most 

(n  —  l)m(*cardF)ra_1  +  (*cardF)"-1m  =  nm(*card  F)"-1 

elements  in  E.  In  case  (1),  therefore  P(a,b)  =  0  has  at  most  (‘cardF)"-1  x  m 
solutions  as  a,  b  range  over  F"-1,  F  respectively.  □ 

Henceforth  we  assume  without  further  mention  that  F  is  a  hyperfinite  field  such 
that  ‘cardF  ~  oo.  In  this  section,  F  will  be  instantiated  with  a  field  *Z/(p)  with 
p  a  infinite  prime. 


Proof  of  Proposition  5.7.  Let  in  =  degP.  By  Proposition  7.1  and  the  assumption 
that  ‘cardF  ~  oo, 


Pr(P)  (log  ‘card  F)fc 


< 


<  n 


‘card E 
•card  F" 
nrn  ‘card  F"-1 


•card  F" 
/(•cardF) 
•cardF 


(log ‘card  F)fc 

(log ‘card  F)fc 


(log ‘card  F)fe  ~  0. 


□ 


A  partial  internal  function  /  is  defined  almost  everywhere  if  and  only  if  A\dom  X 
is  negligible. 

Proposition  7.2.  Suppose  F  is  a  hyperfinite  field  such  that  ‘cardF  G  *N  \  N  and 
R( x)  =  P(x)/Q(x)  where  0  /  Q(i)  €  F[x]  and  degQ(a:)  <  Cf(* cardF)  with  nf 
log-sublinear.  Then  R  is  almost  everywhere  defined. 

Proof.  P  is  defined  precisely  when  Q(x)  ^  0  which  by  Proposition  5.7  holds  almost 
everywhere.  □ 


8.  Restricting  to  the  Diffie-Hellman  algebra 

The  full  Diffie-Hellman  model  thus  far  developed  unfortunately  falls  short  of 
what  we  need  for  protocol  analysis.  As  Dougherty  and  Guttman  point  out,  the 
notion  that  all  exponents  other  than  0  have  inverses  cannot  be  simply  expressed  in 
an  equational  theory  [4],  Worse,  any  reasonable  attempt  at  emulating  this  formal 
model  with  an  algebra  would  be  problematic  because  the  exponents  would  form  a 
ring  structure,  and  unification,  a  key  technique  in  automated  exploratory  protocol 
analysis,  is  not  known  to  be  decidable  for  rings.  Thus,  we  restrict  our  formal  model 
to  a  weaker  one  which  does  not  capture  exponent  addition  or  group  multiplication. 
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Sorts 


Sorts: 

BASE,  EXPN 

Operations 

TF 

BASE  X  EXPN  — >  BASE 

Exponentiation 

EXPN  X  EXPN  -»  AKEY 

Multiplication 

(F1 

EXPN  — ►  EXPN 

Inverse 

Constants 

1 

EXPN 

Identity 

Equations 

B 

3 

III 

B 

g:  BASE ,x,y:  EXPN 

xy  =  yx 

x,y:  EXPN 

3 

3 

III 

3 

3 

H  ' 

x,y,z:  EXPN 

9=9 

g:  BASE 

la:  =  x 

x:  EXPN 

X^X-1)  =  1 

x:  EXPN 

Figure  2.  Our  restricted  Diffie-Hellman  algebra 


8.1.  Our  Diffie-Hellman  Algebra.  Our  Diffie-Hellman  algebra  is  illustrated  in 
Figure  2.  This  algebra  emulates  a  restricted  version  of  our  Diffie-Hellman  model  in 
which  addition  of  exponents  and  multiplication  of  bases  are  not  included.  Unifica¬ 
tion  in  our  algebra  is  efficiently  computable  and  is  unitary  [5]. 


In  this  section,  we  present  the  similarly  restricted  version  of  our  Diffie-Hellman 
model,  and  justify  our  restriction  in  the  following  sense.  In  the  restricted  model,  we 
can  formulate  fewer  formal  solvability  statements  than  in  the  full  model.  However, 
all  formal  solvability  statements  in  the  restricted  model  are  true  exactly  if  they  are 
true  in  the  full  model. 

The  results  of  Proposition  8.2  and  Corollary  8.3  are  the  main  results  supporting 
this  conclusion. 


8.2.  Monomials  and  Polynomials. 


O 11 

Oil  2 

(22) 

A  = 

021 

0:22 

C%rl 

Or2 

Suppose  r,  n  €  Z  and  A  e  Mrxn(Z).  Let 


^1  n 

&2n 

mAi 

A-2 

C^rn  •_ 

Ar 

M a(x)  is  the  vector  of  monomials  (displayed  as  a  column  vector  for  readability): 


MA(x )  = 

MAl  (x) 
MA2  (x) 

= 

~~,otu  a12  . 

&21  &22 

.  .  rpOiln" 

.  .  rp(A-2n 

_MAr  ( x)_ 

ari  ar2 

Fl 

.  ,  rv.CX.rn 

_ 

As  a  special  case,  if  a  €  Mixn(Z)  (i.e.  a  is  a  row  vector  with  n  entries),  then 


Ma(x)  =  x^x^2 


x 


Oin 

n 
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We  regard  M A{x)  as  a  mapping  F"  — >  Fr.  Since  each  component  M(  of  MA  is 
almost  everywhere  defined  and  the  number  of  components  is  standard,  M a  is  almost 
everywhere  defined.  The  proof  of  the  following  is  a  straightforward  computation: 

Proposition  8.1.  If  C  £  Mrx„(Z)  and  D  £  Mrx„(Z)  then 

(24)  Mc(x)  ■  Md(x)  =  Mc+d{x) 

where  the  product  is  the  coordinatewise  product.  If  B  £  Msxr(Z)  and  A  £  Mrx„(Z), 
then 

(25)  Mb  ( Ma(x ))  =  MB-a(x). 

In  particular,  if  /3  £  Mixr(Z) 

(26)  MB.A{x)  =  MpM  a(x)  =  M0A\  (x)M^  (*)•••  ilf£  (x) 

We  now  consider  composition  with  polynomials.  Suppose  P(y)  £  F[j/i, . . . ,  yr\ 
is  a  polynomial  of  degree  m.  Thus 

(27)  P{yu...,yr)=  Y  c^f1  y$2  ■  ■  ■  y$r  =  Y  CpMp{y) 

|/3|  <m  |/3|  <m 

If  A  is  an  r  x  n  matrix  as  in  (22),  then  by  (26), 

P(Ma(x))=  Y  cpmp(ma{x)) 

\(3\ <m 


=  YcPMP-a(x) 
0 


Since  the  family  M^(x)  of  monomials  in  the  vector  space  F[xi,. . .  ,xn\  is  linearly 
independent,  we  have  shown: 

Proposition  8.2.  If  P(y)  =  YlpCpyP  £  F[j/i, . . . ,  yr]  and  A  £  Mrxn(Z)  is  such 
that 

P  (■ MAl  ( x ),  Ma2  (x),...,  MAr(x))  =  0 

then  for  every  j, 

(28)  X]  ch  =  °- 

0-A=j 

An  immediate  corollary  is  the  conclusion  that  polynomial  identities  between 
monomials  are  essentially  monomial  identities.  This  result  has  the  following  signif¬ 
icance:  an  adversary  that  can  compute  arbitrary  polynomials  on  monomials  has  no 
advantage  over  an  adversary  that  is  restricted  to  computing  monomials. 


Corollary  8.3.  Suppose 
(29) 


R(y )  =  W-  ,  e  F(yi,...,yr), 


Y,pd&Mp{y) 

A  £  Mrxrl(Z)  and  7  £  Mixn(Z)  are  such  that 

(30)  R  {MAl  (*),  Ma2  (*),...,  MAt (5))  =  M^x) 
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Then  there  is  a  t  £  Mixr(Z)  such  that  7  =  r  •  A  and  for  any  such  r 
(31)  ■  ■  ■  M%r(x)  =  Mf(MA(x))  =  M^x). 

Proof.  From  (29)  and  (30)  it  follows  that 

Y  d0Mi +P-a(x)  =  M^{x)  Y  dpMp(MA(x)) 

0  0 

=  ^2C0M0(MA{x)) 

0 

=  YC0M0'A^) 

0 


By  Proposition  8.2,  for  every  r, 

(32)  Y  d0Mi+0-A(x)  =  Y  c0M0-a(x) 

7 +0-A—T  0-A—t 

Let  f  be  such  that  XU+/3.A=f  d0  ^  0-  Such  a  f  exists,  for  otherwise  the  rational 
function  R  would  be  identically  0  which  is  impossible  by  (30).  Choose  some  p  such 
that  7  +  p  ■  A  =  f ;  such  an  index  exists  for  otherwise  the  sum  YI^+p-a-t  d0  would 
be  0.  If  7  +  P  ■  A  =  r,  then 


M*y+p.A(x)  —  M^+p.A(x). 

Similarly  choose  some  R  such  that  R  ■  A  =  r.  li  j3  •  A  =  ? 

Mr.a(x)  =  Mf(x)  =  Mp.A(x) 

Then  from  (32). 


(33) 

Thus 


/ 3-A—t 


M^(x)  = 


Y  d0) m^+p-a{x)=  f  Y  cAmr.a(x) 

Y^0-A= fC0  Mr.A(x) 

Sy+/3 -A-f  d0  Mp.A{x) 


_  /?• A=t 

^-^7 +0-A=f  1 

which  is  of  the  form  (31). 


:M?-pi  0 mz~p 2  (*)  •  •  •  Mz~pr  (x) 


□ 


9.  Conclusion 

In  this  paper  we  justify  a  simple  algebra  for  the  modeling  of  Diffie-Hellman 
protocols.  The  algebra  represents  multiplication  of  exponents  and  exponentiation 
but  does  not  represent  addition  of  exponents  or  multiplication  of  bases.  We  justify 
our  model  by  linking  it  to  a  standard  computational  model,  and  show  a  link  between 
the  concept  of  derivability  in  the  computational  model  and  in  our  model.  The  link 
involves  two  transformations  of  the  model:  a  Dolev-Yao-style  formalization  and  a 
generalization  to  hyperhnite  parameters.  We  show  that  either  order  of  these  two 
steps  leads  to  the  same  notion  of  derivability. 

We  then  consider  the  restriction  to  monomial  derivations  (that  is,  derivations 
that  act  as  monomials  on  exponents)  and  show  a  conservative  extension  result, 


19 


namely,  that  the  fuller  model  including  multiplication  of  bases  and  addition  of  ex¬ 
ponents  is  a  conservative  extension  of  our  restricted  model.  This  allows  us  to  con¬ 
clude  that  for  problems  that  may  be  expressed  in  our  restricted  model,  derivability 
in  the  restricted  model  is  equivalent  to  derivability  in  the  unrestricted  model. 
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Asymptotic  Results  via  Non-standard  Analysis 

Proposition  .1.  A  necessary  and  sufficient  condition  a  function  f  be  non-negligible 
is  that  there  exist  a  a  standard  n  and  K  ~  oo  such  that  |*/(AT)|  >  K~n. 

Proof.  For  n  G  N,  then  set  In  one  direction  apply  overspill.  In  the  other  direction 

Vstfc  3K  >  k  \'f(K) |  >  K~n 

is  valid.  By  transfer 

Vstfc  3stK  >  k  \*f(K)\  >  K~n 

is  valid.  However,  if  K  is  standard  *f(K)  =  f(K).  □ 


